LEVEL OF CONFIDENCE IN RISK MANAGEMENT

Public

While financial reporting is definitely top-of-mind, 70% of directors on public boards indicated the risk is well managed by the organization's leadership. Directors of public boards, in general, seem to be comfortable with the management of risk; as "well managed" risks were far more prevalent with this group than both private and not-for-profit directors.

It is fortunate public company boards have confidence in management, since many of the concerns identified do not seem easily managed through oversight by the board.

61% responded that liquidity risk is well managed; however, this risk was ranked as one of the most challenging in terms of effective oversight. Regulatory compliance risk is another challenge for boards to oversee; 45% of the directors felt public company management had it under control. If the boards feel that, from a distance, it is difficult to manage many of these risks, the question is how can they shift their influence to do so? While management may have the ultimate influence on day-to-day operations, the impact of board attention and governance should not be minimized, especially since the board is always held accountable. If the board does not feel it effectively oversees the most important risks confronting the organization, what actions should be taken to rectify the deficiencies? Revised committee structure? Increased board size? Revised compensation structure? Reworking the relationship and communication between the board and management? These are just some of the questions that need to be addressed and acted upon for some boards lacking confidence in effective risk management.

The outlier here is cybersecurity. It ranks as the least well-managed, with similar concerns about board oversight. This may be because this is a risk that is relatively new, increasingly dynamic, and often complex. Therefore, while it ranks high in concern, confidence in its management, at both the operational and board levels, is minimal (especially as new breaches are uncovered and publicized regularly).

Succession planning, cybersecurity and key skills deficits all received high "managed, but there are gaps" ratings (41%, 39% and 39%, respectively). This should concern public boards as they identified cybersecurity and succession planning as the top 2 risks – both most challenging in terms of effective oversight (by the board) and overall importance to your organization. If they are also poorly managed, is it expected the organization will not weather the risk well? How does the board anticipate gaining control and managing the issue? Boards need to assess risk management in light of management and board competencies and add management or board members to fill the gaps.

Private

The opinions of the directors of private boards vary slightly from those on public boards with regard to operational management of risk. Only 50% feel the organization's leadership is managing financial reporting risk well versus public boards' 70% consensus. Similarly, regulatory compliance risk is being managed well by about half of the respondents' organizational leadership (48% for private, 45% for public).

Senior management succession planning once again is a major risk with the same number of respondents stating the organization manages the risk well and it is managed, but there are gaps (33%). This is also the case for cybersecurity at 24% in both categories.

Not-for-Profit

Not-for-profit boards have, by far, the least confidence in organizational leadership to manage senior management succession planning, with more than half (52%) indicating it is "poorly managed" or "managed with gaps." Not-for-profits also display the lowest "well managed" percentages for cybersecurity risk and senior management succession planning out of the three board types.

Not-for-profits tend to run lean and want to put as many resources and as much energy into their programs as possible. Therefore, allocating resources to recruiting, succession planning, and cybersecurity may divert funds from achieving program goals. However, these areas should be considered as part of the long-term strategy. These days, one of the most cost-effective methods of recruiting for a not-for-profit is through its website and social media. Cyber risk should be considered as part of the online presence to ensure that impostors are not utilizing a charities' logo or communicating inaccurate information.

Directors of public boards seem to be comfortable with the risk management than both private and not-for-profit directors but the outlier here is cybersecurity. While Cybersecurity ranks high in concern, confidence in its risk management is minimal.